> Seth, I actually think that enforcing nonces should make this attack > impossible for guessing OAuth signatures (assuming you enforce nonces > for malformed requests). If you can only get a good/bad response once > then you're out of luck.
I was thinking that the attacker would be attempting to guess consumer and token keys and secrets, not signatures. With that approach, you can continue generating valid requests using different keys and secrets ad infinitum. Thus, checking nonces and timestamps is irrelevant. seth --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
